Auditing failed logon events and account lockouts
Platí pro: Windows SBS 2003
Auditing the number of failed attempts to log on by a user helps you learn about brute force, dictionary, and other password attacks on the server. In Windows Small Business Server 2003, auditing logon failure events and account lockouts is enabled by default.
You can disable auditing of logon failure events and account lockout by using the Small Business Server Auditing and Small Business Server Lockout Policy. For more information, see To disable or enable the auditing and account lockout policy.
Auditing logon failure events In Windows Small Business Server 2003, the setting for the Audit logon events is set to failure. Failure audits generate an audit entry when a logon attempt fails. Thus, every time an invalid logon attempt occurs on the server, a message is generated in the event log. You can view the generated event message in the performance reports when you configure monitoring for the server. For more information about configuring monitoring, see Monitoring overview.
For more information about Audit logon events, see "Audit account logon events" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=71626).
Account lockout policy Account lockout policy disables a user account if the user enters an incorrect password a specified number of times within a specified time. These policy settings help you to prevent attackers from guessing users' passwords, and they decrease the likelihood of successful attacks on your network. The following table describes the settings that are assigned for the account lockout.
| Account lockout policy security setting | Description of security setting | Assigned value |
|---|---|---|
Account lockout duration |
Determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. |
10 minutes |
Account lockout threshold |
Determines the number of failed logon attempts that causes a user account to be locked out. |
50 failed logon attempts |
Reset account lockout counter after |
Determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. |
10 minutes |
When an account lockout occurs, it generates a message in the event log. You can view the message by using performance reports or the Event Viewer. For information about what steps you should take when a user account gets locked out, see "Windows Small Business Server 2003 Troubleshooting" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=71630). You can also be notified about the account lockout by a notification when you configure monitoring for the server. For more information about alert notifications, see Understanding alert notifications. For more information about configuring monitoring, see Monitoring overview.